b'                                                    OFFICE OF INSPECTOR GENERAL\n\n                                                                             MEMORANDUM\n\n\n\n\nDATE:           June 13, 2001\n\nTO:             Chairman\n\nFROM:           Inspector General\n\nSUBJECT:        Report on Audit of Web Presence Security\n\nThe Office of Inspector General (OIG) has completed an Audit of Web Presence Security. A copy of\nour Audit Report, entitled \xe2\x80\x9cAudit of Web Presence Security\xe2\x80\x9d (Audit Report No. 00-AUD-01-10), is\nattached for your review and comment. The objective of this audit was to measure how successful the\nCommission has been in securing its web portals. Because the use of the Internet for commerce\npresents new and unique security challenges, we developed a set of specific information security related\nobjectives for this audit. Specific objectives were to:\n\n    \xe2\x80\xa2   Determine if any conditions exist that could allow external user or hacker to penetrate web\n        server security and cause possible harm to Commission assets;\n    \xe2\x80\xa2   Ensure that the FCC is not vulnerable to known Web-based security attacks; and\n    \xe2\x80\xa2   Identify vulnerabilities in the general controls over web-based assets.\n\nTo accomplish the objectives of this audit, we contracted with the computer security firm of TWM\nAssociates, Inc. (TWM) to perform the audit. Under our supervision, TWM developed an audit plan\nthat was designed to measure the extent that the Commission\xe2\x80\x99s web presence infrastructure fulfilled the\nabove mentioned security goals. This audit included an assessment of the current security posture of\nthose Commission-wide systems providing information via the Web and the use of audit tests and\ntechniques designed to identify vulnerabilities in web presence security. We interviewed FCC personnel\nresponsible for Internet and web security, including the Computer Security Office (CSO), Information\nTechnology Center (ITC) and Auctions systems personnel, and Bureau and Office personnel\nresponsible for application development. We also reviewed FCC system documentation. In addition,\nwe performed a number of tests to determine the level of security of the FCC\xe2\x80\x99s web presence. For\nexample, to determine what Internet system services the FCC web hosts offered, TWM examined the\nITC and Auctions systems using a network scanning tool and used a proprietary program to perform\nsophisticated analyses of the FCC\xe2\x80\x99s Unix and Windows NT web presence hosts. Finally, we used\nsystem penetration techniques to test the security of the Commission\xe2\x80\x99s web-based applications.\n\x0cDuring our audit, we found that the Commission has implemented numerous computer security controls\ndesigned to protect and preserve its web-based assets. However, during the audit, we identified thirty-\neight findings (38) that impact the effectiveness of the Commission\xe2\x80\x99s program. Six (6) of the audit\nfindings were determined to be high-risk1, thirty-one (31) were determined to be medium risk, and one\n(1) was determined to be low risk. Findings occurred in the areas of host and network access, system\nsoftware, service continuity, and application software development controls. We recommend that the\nproblems we identified be corrected to strengthen the security of the Commission\xe2\x80\x99s web presence. Our\nrecommendations, when implemented, will correct present problems and minimize the risk that future\nsecurity problems will occur in the FCC\xe2\x80\x99s Internet web presence. All recommendations contained in\nthe attached report will be tracked for reporting purposes by the OIG.\n\nOn March 28, 2001, we issued a draft report summarizing the results of our audit. In that draft report,\nwe requested that the Wireless Telecommunications Bureau (WTB) and the Information Technology\nCenter (ITC) respond to the findings and recommendations presented in our report. Each organization\nprepared a response addressing those findings and recommendations relevant to their portion of the\nInformation Technology infrastructure. ITC provided comments on thirty-one (31) of the thirty-eight\n(38) findings contained in the draft report and WTB provided responses to twenty (20) findings.\n\nIn their response, ITC indicated concurrence with twenty-eight (28) of the thirty-one (31) findings for\nwhich they provided a response and indicated that they did not concur with three (3) findings. For one\n(1) of the findings with which ITC did not concur, we examined the response, agreed with ITC\xe2\x80\x99s\nexplanation and closed the finding. For two (2) of the findings where ITC indicated that they did not\nconcur, ITC explains that the finding has been addressed by events that took place after fieldwork was\ncompleted on the audit. For each of these findings, we state in our comments that ITC should\ndemonstrate this solution as part of the audit follow-up process to close this finding. We have included\na copy of the response from ITC in its entirety as Appendix D to this report. Where ITC disagreed\nwith our conclusions, we have added a section titled \xe2\x80\x9cOIG Comments,\xe2\x80\x9d to explain our position.\n\nIn their response, WTB indicated concurrence with each of the recommendations for the twenty (20)\nfindings that applied to the bureau. Of these twenty (20) findings, WTB reported that fifteen (15) were\nclosed as of May 7, 2001. We have included a copy of the response from WTB in its entirety as\nAppendix C to this report.\n\n\n\n\n1       Each audit finding was evaluated to determine its degree of exposure based on the following risk ratings.\n        High: Security risk can cause a business disruption, if exploited. Medium: Security risk in conjunction with\n        other events can cause a business disruption, if exploited. Low: Security risk may cause operational\n        annoyances, if exploited.\n\x0c\x0c\x0c                       Audit of Web Presence Security\n\n\n\n                              Table of Contents\n\n\n                                                                   Page\n\n\nEXECUTIVE SUMMARY                                                    1\n\n\nAUDIT OBJECTIVE                                                      3\n\n\nAUDIT SCOPE                                                          3\n\n\nAUDIT APPROACH                                                       4\n\n\nBACKGROUND                                                           6\n\n\nOBSERVATIONS                                                         8\n\n\nRESPONSE                                                             8\n\n\nAPPENDIX A        FCC Web Presence Architecture                      A-1\n\n\nAPPENDIX B        Detailed Findings and Recommendations              B-1\n\n\nAPPENDIX C        Report on Web Presence Security \xe2\x80\x93 WTB Response     C-1\n\n\nAPPENDIX D        Report on Web Presence Security \xe2\x80\x93 ITC Response     D-1\n\n\n\n\n                                      1\n\x0cEXECUTIVE SUMMARY\n\nThe Federal Communications Commission (FCC) is increasingly using the Internet to\nconduct business and to disseminate information. For example, the Commission\ncurrently maintains several internet-based electronic filing (e-filing) systems that allow\nthe public to submit and/or review the different types of filings related to FCC\nproceedings, rulemakings, tariffs, and official forms. To maintain those systems that\nallow the public to submit and/or filings via the Internet, the FCC has developed an\ninfrastructure that we have called the web presence. The web presence includes all\nhardware, software, and network services that comprise the Commission\xe2\x80\x99s Internet entry\nand egress points. We liken the Web Presence to the FCC\xe2\x80\x99s doors and windows on the\nInternet.\n\nJust as a prudent businessperson would check the security of the office doors and\nwindows, we developed the scope of this audit to assess the current security posture of\nthe FCC\xe2\x80\x99s web presence. Again, like the businessperson, we focused much of our efforts\non the external threat. Because the use of the Internet for commerce presents new and\nunique security challenges, we developed a set of specific information security related\nobjectives for this audit. They include:\n\n   \xe2\x80\xa2 Determine if any conditions exist that could allow external user or hacker to\n     penetrate web server security and cause possible harm to Commission assets.\n   \xe2\x80\xa2 Ensure that the FCC is not vulnerable to known Web-based security attacks.\n   \xe2\x80\xa2 Identify vulnerabilities in the general controls over web-based assets.\n\nTo gauge the extent that the FCC met these goals, we contracted with TWM Associates,\nInc. (TWM) to conduct an audit of web presence security. Under our guidance and\nsupervision, TWM developed an audit workplan designed to measure the extent that the\nCommission\xe2\x80\x99s web presence infrastructure fulfilled the above mentioned security goals.\nThis audit workplan served as the basis for the audit TWM conducted on the web\npresence. This audit included an assessment of the current security posture of those\nCommission-wide systems providing information via the Web and the use of audit tests\nand techniques designed to identify vulnerabilities in web presence security.\n\nDuring our audit, we found that the Commission has implemented numerous computer\nsecurity controls designed to protect and preserve its web-based assets. However, during\nthe audit, we identified thirty-eight findings (38) that impact the effectiveness of the\nCommission\xe2\x80\x99s program. These findings occurred in the areas of host and network access,\nsystem software, service continuity, and application software development controls. We\nrecommend that the problems we identified be corrected to strengthen the security of the\nCommission\xe2\x80\x99s web presence. Our recommendations will correct present problems and\nminimize the risk that future security problems will occur in the FCC\xe2\x80\x99s Internet web\npresence.\n\nThe two entities primarily responsible for the security of the FCC\xe2\x80\x99s Web Presence, the\nWireless Telecommunications Bureau (WTB) and the Information Technology Center\n\n\n\n                                             2\n\x0c(ITC), prepared separate responses to the draft report and its thirty-eight (38) findings. In\nthe WTB response, the Chief, WTB, concurred with the with the recommendations for\nthe twenty (20) findings that applied to the bureau. Of these twenty (20) findings, WTB\nreported that fifteen (15) were closed as of May 7, 2001. We have included a copy of the\nresponse from WTB in its entirety as Appendix C to this report.\n\nIn the ITC response to the draft report, the Chief Information Officer (CIO) concurred\nwith or concurred with comments to twenty-eight (28) of the thirty-one (31) findings that\napplied to ITC. The ITC disagreed with the recommendations of three (3) findings.\nAlso, ITC requested that we reclassify the severity of a third finding, while concurring\nwith its recommendation. In response, we have added our comments to the end of these\nfour (4) findings. We have included a copy of the response from ITC in its entirety as\nAppendix D to this report. Where ITC disagreed with our conclusions, we have added a\nsection titled \xe2\x80\x9cOIG Comments,\xe2\x80\x9d to explain our position.\n\n\n\n\n                                              3\n\x0cAUDIT OBJECTIVE\n\nThe objective of this audit was to measure how successful the Commission has been in\nsecuring its web portals. Because the use of the Internet for commerce presents new and\nunique security challenges, we developed a set of specific information security related\nobjectives for this audit. Specific objectives were to:\n\n   \xe2\x80\xa2 Determine if any conditions exist that could allow external user or hacker to\n     penetrate web server security and cause possible harm to Commission assets.\n   \xe2\x80\xa2 Ensure that the FCC is not vulnerable to known Web-based security attacks.\n   \xe2\x80\xa2 Identify vulnerabilities in the general controls over web-based assets.\n\nTo gauge the extent that the FCC met these goals, we contracted with TWM to perform\nthe audit on the web presence. Under our supervision, TWM developed an audit\nworkplan that was designed to measure the extent that the Commission\xe2\x80\x99s web presence\ninfrastructure fulfilled the above mentioned security goals. This audit workplan served as\nthe basis for the audit TWM conducted on the web presence. This audit included an\nassessment of the current security posture of those Commission-wide systems providing\ninformation via the Web and the use of audit tests and techniques designed to identify\nvulnerabilities in web presence security.\n\nWe employed the following audit techniques to accomplish this objective. We\ninterviewed FCC personnel responsible for Internet and web security, including the\nComputer Security Office (CSO), Information Technology Center (ITC) and Auctions\nsystems personnel, and Bureau and Office personnel responsible for application\ndevelopment. We sent questionnaires and e-mails to the CSO, and selected Bureau and\nOffice personnel. We also reviewed FCC system documentation.\n\nIn addition, we performed a number of tests to determine the level of security of the\nFCC\xe2\x80\x99s web presence. To determine what Internet system services the FCC web hosts\noffered, TWM examined the ITC and Auctions systems using nmap, a commonly used\nnetwork scanning tool by auditors and computer security professionals. TWM used a\nproprietary program to perform sophisticated analyses of the FCC\xe2\x80\x99s Unix and Windows\nNT web presence hosts. Finally, we used system penetration techniques to test the\nsecurity of the Commission\xe2\x80\x99s web-based applications.\n\nAUDIT SCOPE\n\nThis audit was conducted in accordance with Generally Accepted Government Auditing\nStandards (GAGAS) and included such analyses, interviews, and testing as required to\nsupport the audit findings.\n\nThe scope of this audit encompassed that portion of the Information Technology (IT)\ninfrastructure we defined as the FCC\xe2\x80\x99s web presence. The web presence is the\narchitecture that includes all hardware, software, and network infrastructure that\ncomprises the Commission\xe2\x80\x99s Internet entry and egress points.\n\n\n\n                                            4\n\x0cThe hardware that we reviewed all contributed in providing security to the FCC\xe2\x80\x99s web\npresence. Appendix A, FCC Web Presence Architecture, High Level Overview, provides\na high level illustration of the FCC\xe2\x80\x99s web presence infrastructure. Our review included\nthose network devices illustrated in Appendix A, such as firewalls, routers, hosts, and\nswitches. Finally, our review encompassed both the Auctions and ITC infrastructure.\n\nThe hosts we reviewed were primarily located in the Demilitarized Zones (DMZ) of the\nITC and Auctions systems. The DMZ refers to a complex multiple machine firewall\nsetup, where a computer is placed outside the firewall, but is still available for use by the\ninternal (protected) network. The advantage of a DMZ computer is it can use and receive\ninformation from the entire Internet. The disadvantage is that the DMZ may be\nvulnerable to attack from parties unknown. 1 As Appendix A illustrates, the ITC modified\ntheir DMZ by placing the DMZ hosts between an outer and an inner firewall.\n\nOur audit of the web presence infrastructure also included a review of operating system\ncontrols of the DMZ hosts. This review was performed to determine if any\nvulnerabilities existed that could allow intruders unauthorized access through the web\npresence architecture and included penetration testing. We also reviewed selected\napplication program controls in FCC electronic filing (e-filing) systems that allow users\nelectronic access to Commission data and information. The controls we reviewed\nincluded password standards and the use of encryption in e-filing systems. These e-filing\nsystems include applications for license or tariff filing or renewal, fee payment and\nAuctions bidding procedures.\n\nThe scope of our audit was limited to the FCC\xe2\x80\x99s web presence. No database systems or\nservers were reviewed. No controls over Intranet sites were reviewed.\n\nWe performed a limited review of application controls on e-filing systems. This\nencompassed a review of userIDs and passwords and the use of encryption to transmit\ndata over the Internet. We reviewed backup and contingency planning procedures of e-\nfiling applications. We did not review enterprise backup and contingency planning\nprocedures.\n\nThe audit was conducted at the Commission headquarters facility located at 445 12th\nStreet, Southwest, Washington, DC. Fieldwork on this audit was conducted from\nFebruary 25, 2000 through January 30, 2001.\n\nAUDIT APPROACH\n\nThe Technical approach was based on the audit methodology found in the General\nAccounting Office (GAO) Federal Information Systems Control and Audit Manual\n(FISCAM), dated, January, 1999. This manual covers the essential requirements for\nevaluating the Commission\xe2\x80\x99s information systems general controls procedures. We also\nused contractor proprietary procedures to augment the FISCAM.\n 1\n     DSL Reports, Knowledge Base, URL:http://www.dslreports.com/information/kb/DMZ. (March 6, 2001).\n\n\n\n                                                      5\n\x0cOur evaluation focused on two (2) of the six (6) FISCAM general controls categories as\nthey applied to web presence activities:\n\n\xe2\x80\xa2 Access controls limit or detect access to computer resources (data, equipment, and\nfacilities), thereby protecting these resources against unauthorized modification, loss, and\ndisclosure 2 .\n\n\xe2\x80\xa2 System software controls limit and monitor access to the powerful programs and\nsensitive files that control the computer hardware and secure applications supported by\nthe system3 .\n\nWe also incorporated selected portions of the FISCAM sections addressing service\ncontinuity and application software development. Service continuity controls ensure that,\nwhen unexpected events occur, critical operations continue without interruption, or are\npromptly resumed and critical and sensitive data are protected. We performed a limited\nreview of service continuity controls as the related to selected e-filing applications.\n\nApplication software development and change controls prevent unauthorized\nprogramming or program modifications. An assessment of the coding of Application\nControls was beyond the scope of this review. The extent of the application controls\nreview was limited to information obtained by interview and by assessing common\ntechniques used to protect data during transmission and while obtaining access.\n\nUnder our approval and supervision, TWM used proprietary tools and audit procedures to\nperform complex technical analyses. This combined approach also addressed many of\nthe general controls contained in OMB Circular No. A-130, Appendix III.\n\nThe audit team consisted of the following members:\n\n          Thomas Bennett              FCC, Office of Inspector General\n          Walter Opaska               FCC, Office of Inspector General\n          Ian M.Harper                TWM Associates, Inc.\n          Dave Elliott                TWM Associates Inc.\n          Jeff Sullivan               TWM Associates, Inc.\n\nThe audit included the following three phases:\n\n          Internal Controls Phase--to develop an understanding of the organizations,\n          operations, and activities related to the program and system, and identify the\n          potential risks to determine the extent of detailed analyses and testing necessary;\n\n\n\n 2\n     United States General Accounting Office, Federal Information Systems Control and Audit Manual, Volume 1,\n      January, 1999, p.3-1.\n 3\n     Ibid ., p.3-2.\n\n\n\n                                                        6\n\x0c       Testing Phase--to accomplish the detailed analyses and testing steps necessary to\n       complete the audit; and\n\n       Reporting Phase--to formally report the results of the audit, including conditions,\n       causes, effects, criteria, conclusions (when warranted) and recommendations.\n\nStep One: Internal Controls Phase\n\nObjective: The objective of this step was to identify previous audits, existing design,\nimplementation, and operational documents that describe the business processes,\norganizations, and security policies associated with the FCC Web Presence.\n\nDuring this phase, the audit team focused on gathering information on FCC policies,\nprevious OIG or other regulatory audit reports and reviews, and design, implementation\nand operational audit documents for the FCC Web Presence. As part of this effort the\nWeb Presence OIG Audit team requested information on various aspects of the function\nand composition of systems providing Web-based resources.\n\nStep Two: Testing Phase\n\nObjective: The objective of this step was to verify the security posture of the FCC\nsystems providing information via the World Wide Web and to identify security\nweaknesses in the general controls and application development techniques in the areas\nof access controls, network security, and system software.\n\nIn Phase 2, Testing, The audit team: (1) assessed the current security posture of the\nCommission-wide systems providing information via the Web; (2) identified\nvulnerabilities in the General Controls; and (3) reviewed application development\ntechniques to ensure that the FCC is not vulnerable to known Web-based attacks.\n\nStep Three: Reporting Phase\n\nObjective: The objectives of this step were to report observations in control weaknesses\nassociated with the FCC Web Presence within the context of periodic status reports and\nfinal audit test report. This report is the manifestation of this step.\n\nIn Phase 3, Reporting, the audit team prepared status reports, presentations, and meeting\nnotes. These documents reflected the current state of the FCC Web Presence audit effort.\nThis step included the production of the draft reports and final Audit Report. The final\nreport contains all observations, recommendations, and findings.\n\nBACKGROUND\n\nFederal agencies are required by law to protect information resources and assets under\ntheir control. Public laws, Office of Management and Budget (OMB) circulars and\nmemorandums, Presidential Decision Directives (PDDs), and National Institute of\n\n\n\n                                             7\n\x0cStandards and Technology (NIST) publications, enumerate the federal information\nsecurity framework for agencies, such as the FCC. Also, the Commission has its own\nguidelines that are incorporated into an FCC directive on information security.\n\nA number of public laws deal with information security. For example, the Computer\nFraud and Abuse Act of 1986 (PL 99-474) prohibits unauthorized or fraudulent access to\ngovernment computers and establishes penalties for such access. Other laws of general\napplication that apply to the protection of information resources include the Computer\nSecurity Act of 1987, the Paperwork Reduction Act of 1995, the Clinger-Cohen Act of\n1996, and the Government Information Security Reform Act.\n\nOMB circulars and memorandums provide direction as to how federal agencies are to\nimplement these privacy laws. Appendix III of OMB Circular A-130 discusses the\nsecurity of Federal Automated Information Resources. Appendix III \xe2\x80\x9cestablishes a\nminimum set of controls to be included in Federal automated information security\nprograms; assigns Federal agency responsibilities for the security of automated\ninformation; and links agency automated information security programs and agency\nmanagement control systems 4 .\xe2\x80\x9d Other OMB circulars and memorandums that apply to\ninformation security include Circular A-123, Management Accountability and Control,\nMemorandum M-99-18, Privacy Policies on Federal Web Sites, and Memorandum M-00-\n13, Privacy Policies and Data Collection on Federal Web Sites. These OMB documents\nadd details that assist departments and agencies in implementing the laws related to\nprivacy in the Internet environment.\n\nPresidential Decision Directives specify agency responsibilities in specific areas. PDD\n63, Protecting America\xe2\x80\x99s Critical Infrastructures, specifies agency responsibilities for\nprotecting the nation\xe2\x80\x99s infrastructure 5 . Another, PDD 67 Enduring Constitutional\nGovernment and Continuity of Government, has sections that relate to continuity of\noperations planning 6 .\n\nNIST publications provide clarification of federal security principles. NIST Special\nPublication 800-12, Computer Security, provides assistance in securing computer-based\nresources by explaining important concepts, cost considerations, and the\ninterrelationships of security controls 7 . Other relevant NIST publications include NIST\nSpecial Publications 800-4, Computer Security Considerations in Federal Procurements,\n800-14, Security Considerations in Computer Support and Operations Standardized Log-\non Banner, and 800-18, Guide for Developing Security Plans for Information Processing\nSystems. Many of the Federal Information Publishing Standards (FIPS) series published\nby NIST are also useful. For example, FIPS Publication 112, Password Usage, defines\n\n\n 4\n     Office of Management and Budget Circular No. A-130, Management of Federal Information Resources, February\n      8, 1996. URL: http://www.whitehouse.gov/omb/circulars/a130/a130.html. (March 13, 2001)\n 5\n     CIO Council, Federal Information Security Assessment Network, November 28, 2000.\n      http://cio.gov/docs/federal_it_security_assessment_framework.htm. (February 2, 2001).\n 6\n     Ibid.\n 7\n     Introduction to Computer Security: The NIST Handbook, URL: http://www.claitors.com/prf/catelog/003-003-\n      03374-0.html. (March 13, 2001).\n\n\n\n                                                       8\n\x0cthe security metrics for passwords and specifies minimum security criteria for access\ncontrol systems based on passwords 8 .\n\nWe relied on the FCC Security Directives as a primary security authority. FCC Directive\n1479.1, Computer Security Program Directive , establishes policy and assigns\nresponsibilities for assuring that there are adequate levels of protection for all FCC\ncomputer systems and information created, stored, or processed, therein9 . This\ncomprehensive computer security document was used as one of our key criteria when\nperforming this review.\n\nOBSERVATIONS\n\nOur review found that the FCC had an active and generally effective program for\nmanaging the security of the Commission\xe2\x80\x99s Web Presence. During our audit, we found\nthat the Commission has implemented numerous computer security controls designed to\nprotect and preserve its web-based assets.\n\nAlthough the Commission has implemented numerous controls, we identified thirty-eight\n(38) findings that impact the effectiveness of the Commission\xe2\x80\x99s program. These findings\noccurred in the areas of host and network access, system software, service continuity, and\napplication software development controls. We recommend that the problems we\nidentified be corrected to strengthen the security of the Commission\xe2\x80\x99s web presence. Our\nrecommendations will correct present problems and minimize the risk that future security\nproblems will occur in the FCC\xe2\x80\x99s Internet web presence.\n\nAppendix B, Detailed Finding and Observations, lists the observations and\nrecommendations from the review of the FCC Web Presence. Because of the sensitivity\nof the observations, we classified have Appendix B as privileged and confidential, for\ninternal FCC use only and will release that appendix only to those FCC personnel with a\nneed for the information.\n\nRESPONSE\n\nThe two entities primarily responsible for the security of the FCC\xe2\x80\x99s Web Presence, the\nWireless Telecommunications Bureau (WTB) and the Information Technology Center\n(ITC), prepared separate responses to the draft report and its thirty-eight (38) findings. In\nthe WTB response, the Chief, WTB, concurred with the with the recommendations for\nthe twenty (20) findings that applied to the bureau. Of these twenty (20) findings, WTB\nreported that fifteen (15) were closed as of May 7, 2001. We have included a copy of the\nresponse from WTB in its entirety as Appendix C to this report.\n\n\n 8\n     FIPS Listed by Number, August 11, 2000. URL: http://www.itl.nist.gov/fipspubs/by-num.htm. (March 14,\n      2001).\n 9\n     FCC Instruction 1479.1, Computer Security Program Directive, November 30, 1995, URL:\n      http://intranet.fcc.gov/omd2/docs/directives/fccinst1479_1.html. (March 14, 2001).\n\n\n\n\n                                                       9\n\x0cIn the ITC response to the draft report, the Chief Information Officer (CIO) concurred or\nconcurred with comments to twenty-eight (28) of the thirty-one (31) findings that applied\nto ITC. The ITC disagreed with the recommendations of three (3) findings. Also, ITC\nrequested that we reclassify the severity of a third finding, while concurring with its\nrecommendation. In response, we have added our comments to the end of these four (4)\nfindings. We have included a copy of the response from ITC in its entirety as Appendix\nD to this report. Where ITC disagreed with our conclusions, we have added a section\ntitled \xe2\x80\x9cOIG Comments,\xe2\x80\x9d where we explain our position.\n\nITC also stated that the concurrence and completion dates associated with each of the\nrespective IG recommendations is conditional prior to the completion of a cost, staffing\nand impact analysis for each of the action items provided in your report. The cost\nanalysis is being formulated and will be shared with the IG office once approved by the\nCIO. As of the date of the issuance of this report, the OIG has not received this cost,\nstaffing, and impact analysis.\n\n\n\n\n                                            10\n\x0c'